A surprisingly simple service-based approach makes implementing end-to-end encryption and tokenization in your payment environment simpler than you might think.
In recent years, most merchants have followed the Payment Card Industry Data Security Standard (PCI DSS) guidelines to institute numerous security measures that have helped reduce the risk of loss or theft of sensitive cardholder data. Nevertheless, data vulnerabilities still remain and costly breaches still occur. This situation is leading many merchants to turn to solutions that exceed the current PCI DSS guidelines.
A new service-based solution set now available from major players in the payments processing industry addresses many merchant concerns. End-to-end encryption (E2EE) combined with data tokenization provides enhanced security by protecting sensitive cardholder data from the point of capture through delivery to the payment processor, and by eliminating cardholder data from the merchant’s environment post-authorization. With these two technologies in place, the data handled by a merchant is far less vulnerable in the event of a breach, simply because encrypted or tokenized data is useless to a thief.
Large merchants who feel battle scarred after years of implementing new security technologies and procedures may be hesitant about undertaking yet another implementation to add E2EE and tokenization to their systems. In this case, however, the hesitation is unjustified; the service-based approach to bringing E2EE or tokenization or both to a merchant’s environment is surprisingly simple.
There are only four potential activities for a merchant to do in order to add the benefit of these technologies in a service-based scenario, and depending on the merchant’s current data environment and business processes, it may not even be necessary to undertake all four steps. The implementation process goes like this:
- Discover and convert legacy data stored in a data warehouse to token numbers only if needed
- Modify the message specification that is sent to the processor
- Embed encryption if needed or desired
- Make minor modifications to business processes only if needed
The implementation process is merchant friendly and can be done in a manner and on a schedule that makes the most sense for the merchant. Tokenization can be implemented independent of encryption, and vice versa, at the merchant’s discretion.
The remainder of this paper describes the merchant’s implementation process when E2EE and tokenization are delivered as a service from the merchant’s payment processor. In most cases, there is no investment to make in new hardware, which minimizes the merchant’s costs. At the same time, the merchant can reasonably expect long-term saving based on reduced PCI compliance requirements.